Ignore:
Timestamp:
12/07/08 17:13:55 (3 years ago)
Author:
KennethLavrsen
Message:

Item375: Eliminate use of URLPARAM in docs so it becomes an XSS trap
Done with the System web topics now

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/RevCommentPlugin/data/System/WebRssBaseWC.txt

    r1105 r1201  
    5050  <items> 
    5151    <rdf:Seq> 
    52 %SEARCH{"%URLPARAM{"search" default=".*" }%" web="%URLPARAM{"web" default="%INCLUDINGWEB%" }%" excludetopic="%URLPARAM{"excludetopic" default="WebStatistics" }%" type="%URLPARAM{"type" default="regex" }%" nosearch="on" order="modified" reverse="on" nototal="on" limit="%URLPARAM{"limit" default="16" }%" scope="%URLPARAM{"scope" default="text" }%" casesensitive="%URLPARAM{"casesensitive" default="on" }%" date="%URLPARAM{"date" default="" }%" format="<item rdf:about=\"%SCRIPTURL{"view"}%/$web/$topic\">$n  <title>$topic</title>$n  <link>%SCRIPTURL{"view"}%/$web/$topic</link>$n <description>%REVCOMMENT[rev=''$rev'' web=''$web'' topic=''$topic'' pre=''ChangeLog: '' delimiter='' -- '' post='''']%</description>$n  <dc:date>$isodate</dc:date>$n  <dc:contributor>$n    <rdf:Description link=\"%SCRIPTURL{"view"}%?topic=$wikiusername\">$n      <rdf:value>$username</rdf:value>$n    </rdf:Description>$n  </dc:contributor>$n</item>"}% 
     52%SEARCH{"%URLPARAM{"search" encode="quote" default=".*" }%" web="%URLPARAM{"web" encode="quote" default="%INCLUDINGWEB%" }%" excludetopic="%URLPARAM{"excludetopic" encode="quote" default="WebStatistics" }%" type="%URLPARAM{"type" encode="quote" default="regex" }%" nosearch="on" order="modified" reverse="on" nototal="on" limit="%URLPARAM{"limit" encode="quote" default="16" }%" scope="%URLPARAM{"scope" encode="quote" default="text" }%" casesensitive="%URLPARAM{"casesensitive" encode="quote" default="on" }%" date="%URLPARAM{"date" encode="quote" default="" }%" format="<item rdf:about=\"%SCRIPTURL{"view"}%/$web/$topic\">$n  <title>$topic</title>$n  <link>%SCRIPTURL{"view"}%/$web/$topic</link>$n <description>%REVCOMMENT[rev=''$rev'' web=''$web'' topic=''$topic'' pre=''ChangeLog: '' delimiter='' -- '' post='''']%</description>$n  <dc:date>$isodate</dc:date>$n  <dc:contributor>$n    <rdf:Description link=\"%SCRIPTURL{"view"}%?topic=$wikiusername\">$n      <rdf:value>$username</rdf:value>$n    </rdf:Description>$n  </dc:contributor>$n</item>"}% 
    5353    </rdf:Seq> 
    5454  </items> 
     
    5959  <url>%WIKILOGOIMG%</url> 
    6060</image> 
    61 %SEARCH{"%URLPARAM{"search" default=".*" }%" web="%URLPARAM{"web" default="%INCLUDINGWEB%" }%" excludetopic="%URLPARAM{"excludetopic" default="WebStatistics" }%" type="%URLPARAM{"type" default="regex" }%" nosearch="on" order="modified" reverse="on" nototal="on" limit="%URLPARAM{"limit" default="16" }%" scope="%URLPARAM{"scope" default="text" }%" casesensitive="%URLPARAM{"casesensitive" default="on" }%" date="%URLPARAM{"date" default="" }%" format="<item rdf:about=\"%SCRIPTURL{"view"}%/$web/$topic\">$n  <title>$topic</title>$n  <link>%SCRIPTURL{"view"}%/$web/$topic</link>$n  <description>$summary (last changed by <nop>$wikiname)</description>$n  <dc:date>$isodate</dc:date>$n  <dc:contributor>$n    <rdf:Description link=\"%SCRIPTURL{"view"}%?topic=$wikiusername\">$n      <rdf:value>$username</rdf:value>$n    </rdf:Description>$n  </dc:contributor>$n</item>"}% 
     61%SEARCH{"%URLPARAM{"search" default=".*" }%" web="%URLPARAM{"web" encode="quote" default="%INCLUDINGWEB%" }%" excludetopic="%URLPARAM{"excludetopic" encode="quote" default="WebStatistics" }%" type="%URLPARAM{"type" encode="quote" default="regex" }%" nosearch="on" order="modified" reverse="on" nototal="on" limit="%URLPARAM{"limit" encode="quote" default="16" }%" scope="%URLPARAM{"scope" encode="quote" default="text" }%" casesensitive="%URLPARAM{"casesensitive" encode="quote" default="on" }%" date="%URLPARAM{"date" encode="quote" default="" }%" format="<item rdf:about=\"%SCRIPTURL{"view"}%/$web/$topic\">$n  <title>$topic</title>$n  <link>%SCRIPTURL{"view"}%/$web/$topic</link>$n  <description>$summary (last changed by <nop>$wikiname)</description>$n  <dc:date>$isodate</dc:date>$n  <dc:contributor>$n    <rdf:Description link=\"%SCRIPTURL{"view"}%?topic=$wikiusername\">$n      <rdf:value>$username</rdf:value>$n    </rdf:Description>$n  </dc:contributor>$n</item>"}% 
    6262%STOPINCLUDE% 
    6363</verbatim> 
Note: See TracChangeset for help on using the changeset viewer.